TL;DR: RSAC 2026 exposed a familiar problem in new clothing: security AI can only act safely if it reasons from complete, relationship-aware context, not just telemetry and logs, according to JupiterOne. Machine-speed remediation without the event history, identity links, and control exceptions behind a finding turns automation into a faster way to make the wrong decision.
At a glance
What this is: This analysis argues that agentic AI in security is limited by incomplete context, not by a lack of detection data.
Why it matters: It matters because identity, asset, and control relationships determine whether autonomous security actions are safe, especially when remediation can affect NHI, human access, and downstream services.
👉 Read JupiterOne's analysis of agentic AI accuracy and security context at RSAC 2026
Context
Agentic AI in security only works when the system understands more than current-state telemetry. The core governance gap is that scanners and dashboards can show what is true now, but they rarely preserve the event history that explains why access exists, why a control exception was approved, or which identity is still supposed to have privilege. For IAM, PAM, and NHI programmes, that missing context is often the difference between safe automation and an outage.
The article’s primary point is that AI can accelerate security operations only if it reasons from a durable model of relationships across assets, identities, cloud resources, and controls. That places this squarely in the overlap between AI governance and identity governance: if an agent cannot determine who or what is actually entitled to act, it will struggle to make reliable decisions about remediation, containment, or access revocation.
Key questions
Q: How should security teams let agentic AI act without creating false remediation risk?
A: Security teams should only allow autonomous action when the system can verify current ownership, exception status, dependency impact, and entitlement provenance. If those inputs are missing, the safest design is human approval. Agentic AI becomes materially safer when it works from decision-quality context rather than raw alerts or telemetry alone.
Q: Why do identity relationships matter so much for security automation?
A: Identity relationships determine whether access is legitimate, temporary, inherited, or already superseded by another control. Without that context, automation cannot tell a valid production role from stale privilege or an emergency elevation from drift. That is why identity graph quality is now a security control, not just an inventory concern.
Q: What do security teams get wrong about autonomous remediation?
A: Teams often assume a finding is the same as a fixable problem. In reality, the finding may sit inside an approved exception, a live incident, or a dependency chain that makes blind remediation dangerous. The common failure is acting on state without understanding the event history behind it.
Q: How can organisations tell whether their context model is good enough for agentic AI?
A: A useful test is whether the system can explain why an identity has access, what would break if that access changed, and whether a compensating control already exists. If it cannot answer those questions consistently, the model is still operating at the data layer, not the knowledge layer.
Technical breakdown
Why the state clock is not enough for agentic security AI
Security tools are very good at recording the present state of an environment. They can show an open vulnerability, a public bucket, or an over-privileged account. What they usually cannot preserve is the event chain that explains why that state exists, such as a time-bound exception, a temporary incident role, or a compensating control approved outside the scanner. Agentic AI needs that event context because action is not the same as detection. If the system sees only current state, it may correct something that was intentionally configured and still operationally necessary.
Practical implication: build automation only where remediation can consult approval history, exception state, and current ownership before it acts.
Knowledge graphs connect identities, assets, and controls
A knowledge graph models relationships, not just objects. In security, that means linking a cloud workload to the role that can reach it, the repository that deploys it, the control that governs it, and the framework requirement it is meant to satisfy. This is materially different from inventory or alert aggregation, because the graph can answer questions that require traversal across domains. For agentic AI, that relational model is what turns a finding into a decision. Without it, the system can know something is exposed but not whether access is intentional, inherited, or already offset by another control.
Practical implication: treat relationship mapping as a prerequisite for autonomous response, not as a reporting layer.
Why access decisions need the event history behind them
Identity governance depends on understanding lifecycle, not just entitlements. An account can look risky in isolation while still being valid because it is tied to an active incident, a production deployment, or a contractor exception with a defined end state. The same is true for NHI and service accounts, where standing privilege often persists because no one captured the operational reason for it in a system the automation can read. Agentic AI without event history will overcorrect. It will revoke access that is still required, or preserve access that should have expired, because it cannot distinguish exception from drift.
Practical implication: feed automation from authoritative lifecycle and exception records before allowing it to change access or configuration.
NHI Mgmt Group analysis
Context is becoming the decisive control plane for agentic security AI. The article is right to frame incomplete context as the real blocker, because autonomous response is only as reliable as the model it reasons from. In practice, security teams are no longer choosing between data quality and automation maturity, they are choosing whether the system can understand relationships, exceptions, and operational intent. That makes context governance a programme-level issue for IAM, PAM, and NHI owners.
Security AI that cannot see identity relationships will create access risk faster than it reduces it. When remediation is triggered automatically, the question is not whether the finding is real, but whether the access path is still legitimate. This is where NHI and human identity governance intersect: standing privilege, orphaned service accounts, and temporary elevations all require lifecycle context that telemetry alone does not provide. Practitioners should treat identity relationship integrity as a prerequisite for any autonomous control.
Relationship-aware security is now the named concept the market needs to adopt. The article implicitly defines a gap between event data and decision-quality knowledge, and that gap is what makes agentic AI brittle in enterprise environments. A relationship-aware model is what allows tools to assess blast radius, ownership, compensating controls, and exception history before action. The practical conclusion is simple: if the platform cannot traverse the identity graph, it cannot safely automate response.
Continuous controls monitoring becomes more useful when it is tied to entitlement provenance. The article’s strongest operational insight is that compliance state is not enough without the history of how that state came to be. That matters for identity governance because exceptions, approvals, and compensating controls are often the difference between a defect and an accepted risk. Teams that cannot tie controls to entitlement provenance will continue to generate noise instead of actionable risk reduction.
Agentic AI in security will push vendors toward system-of-record claims, but practitioners should test those claims against operational reality. The market is moving toward platforms that promise autonomous action, but the real differentiator is whether the platform can reconcile identities, assets, and controls at the speed decisions are made. IAM and security architects should therefore evaluate whether any automation layer can consume authoritative identity context before it acts. That is the line between useful assistance and unsafe autonomy.
What this signals
Decision-quality context is becoming the gating factor for autonomous security operations. The practical lesson for programmes is that any AI workflow touching IAM, PAM, or NHI controls must be able to consume authoritative relationship data before it takes action. Without that, teams will simply automate the same ambiguity that already slows human analysts.
Blast-radius control will matter more than remediation speed. Once automation can act at machine pace, the differentiator is not how fast a finding is closed but whether the closure is safe for the identities and workloads connected to it. That is why entitlement provenance and dependency mapping need to be operational, not aspirational.
Security leaders should treat graph completeness as a governance metric. If the environment cannot answer who can touch what, why they can touch it, and what changed that state, autonomous response should remain constrained. That standard is especially important where NHI and human access intersect in the same workflows.
For practitioners
- Map identity and asset relationships before enabling automation Require every autonomous response workflow to resolve the affected asset, the owning identity, the exception state, and the downstream dependencies before it can take action. If any of those links are missing, route the finding to human review instead of execution.
- Preserve exception and approval history in a machine-readable source Store temporary access grants, compensating controls, and risk acceptances in a record that automation can query directly. Do not leave the operational reason for access in tickets, chat threads, or tribal knowledge.
- Validate blast radius before remediation runs Test whether the proposed remediation would break production, revoke a needed incident role, or remove access from a still-active NHI. Use dependency mapping to confirm what depends on the control or account before the system acts.
- Tie autonomous actions to entitlement provenance Make automation check who granted the access, when it was granted, and why it still exists. That provenance should determine whether the action is a remediation candidate or an approved exception.
Key takeaways
- Agentic security AI is limited less by detection capability than by the quality of the context it can reason from.
- Identity relationships, exception history, and dependency mapping determine whether autonomous remediation is safe or disruptive.
- Programmes should treat relationship-aware data models as a prerequisite for automation, not as an optional reporting layer.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | GOVERN | The article centres on governance and accountability for agentic AI decisions. |
| OWASP Agentic AI Top 10 | The article describes context gaps that can drive agent misuse and unsafe actions. | |
| NIST CSF 2.0 | PR.AC-4 | Identity and access relationships are central to the decision model discussed. |
Define ownership, oversight, and approval boundaries before any AI system can take autonomous action.
Key terms
- Knowledge Graph: A knowledge graph is a connected model of entities and their relationships, built so systems can traverse context rather than inspect records in isolation. In security, it links identities, assets, controls, and dependencies, allowing automation to reason about impact, ownership, and exception history before taking action.
- Decision-Quality Context: Decision-quality context is the set of facts a security system needs to make a safe and defensible action, not just a correct observation. It usually includes ownership, lifecycle state, compensating controls, approvals, dependencies, and downstream risk so the system can distinguish true remediation from harmful overcorrection.
- Entitlement Provenance: Entitlement provenance is the history of why an identity has access, who approved it, when it was granted, and what condition keeps it valid. It matters because access that looks excessive may still be intentional, while access that looks normal may be stale or inherited from a previous operational state.
- Event Clock: The event clock is the historical sequence that explains how a current security state came to exist. Unlike a snapshot, it records the approvals, exceptions, incidents, and operational decisions that shape access and configuration, which makes it essential for accurate automation and trustworthy governance.
What's in the full article
JupiterOne's full article covers the operational detail this post intentionally leaves for the source:
- How the graph-native model maps assets, identities, controls, and cloud resources into a single traversable environment.
- The specific way continuous controls monitoring supports framework mapping and relationship-aware security decisions.
- Examples of the questions JupiterOne AI can answer when it has verified environment context rather than isolated telemetry.
- The platform's integration footprint and J1QL-based traversal model for practitioners evaluating implementation detail.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in practical programme terms. It is designed for practitioners who need to connect identity controls to broader security operations and governance.
Published by the NHIMG editorial team on 2026-03-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org